Hackers found a freaky new way to kill your car

by EMILY DREYFUSS

IMAGE/Yin Wenjie/Getty Images

The week in security news began much as
you’d expect: still trying to make sense of the redacted Mueller report,
which was released to congress late last week. Garrett M. Graff’s takeaways? The report makes clear that Trump was worse than a “useful idiot,” along with 14 other insights you may have missed.

After
a horrific string of bombings left more than 300 people dead in Sri
Lanka over the weekend, the government there blocked US tech platforms
in order to quell the spread of misinformation. Civil rights experts warned that despite the harmful role social media has played in spreading violence and propaganda, this was the wrong move.

Things
quickly swerved away from the geopolitical and toward the familiar
domain of terrifying hacks, including two that almost sound like hackers
are actually reading minds (they’re not). First, a blockchain bandit is
guessing people’s private keys and making off with the funds; and next, hackers can tell exactly which Netflix Bandersnatch choices you make. Hackers have also sneaked malware into videogames via their supply chain, which ain’t good. But GoDaddy took down 15,000 spammy domains, which is good. And in even better news, there’s a pretty good fix for the ever-escalating SIM card swap attack—but why isn’t the US using it?

If you haven’t already, do yourself a favor this weekend and read the jaw-dropping tale of bitcoins and murder.

But
that’s not all! Every Saturday we round up security news we didn’t
break or report on in depth. As usual, click on the headlines to read
the full articles. And be safe out there.

Motherboard
reports that a hacker going by the name L&M claims to have hacked
into 7,000 iTrack and 20,000 ProTrack accounts—GPS tracking tools—and
from there gained access to some vehicles internal systems. The hacker
says he could turn off cars’ engines as they drove under 12 miles an
hour or were stopped. On all the vehicles, he was able to track the cars
as they drove. He got in by realizing that all users of those apps had
been given the same default password. After bruteforcing millions of
usernames, he was in. Motherboard confirmed the breach with four people
whose information L&M listed in a sample of the breached data he
shared with the website. L&M says he did this to show the companies
how compromised their security was, and that he has never remotely
turned off a car engine. So I guess that’s some comfort?

A
new report suggests yet another reason to worry about filling your home
with internet of things devices that listen, watch, and wait to get
hacked: their peer-to-peer technology isn’t always secure. According to
security journalist Brian Krebs, the iLnkP2P software made by Shenzhen
Yunni Technology is inside millions of different IoT devices, like
doorbells, cameras, and baby monitors. It’s got a weakness that security
researcher Paul Marrapese
found and shared with Krebs. The software is supposed to make it easier
for people to log in remotely to their IoT devices using just a barcode
to log in. Marrapese found that the software offers no encryption or
authentication, and makes it very easy for hackers to connect directly
with these devices. He told Krebs he found more than 2 million devices
vulnerable to this kind of attack. He suggests people can protect
themselves by setting up a firewall that blocks traffic to the
peer-to-peer port, but Krebs has an easier suggestion: “Avoid purchasing
or using IoT devices that advertise any P2P capabilities.”

Despite
backlash from privacy advocates across the world, the EU this week
voted to do the damned thing. That thing being to merge a bunch of
different biometric tracking databases for immigration, crime, and and
border patrol into a single shared database that border and law
enforcement agents can use to access biometric information for people.
Once assembled, the database will be one of the biggest “people-tracking
databases in the world,” according to ZDNet, containing the records of
more than 350 million people. Those records will include both biometrics
such as fingerprints and facial scans as well as identification
information like passport numbers, names and dates of birth.

This entry was posted
on Monday, May 13th, 2019 at 00:01 and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.